Integrated Big Data Audit with Internal Control Audit to Dig up the “Swindlers” behind Social Security Funds Misappropriation ()
1. Introduction
In recent years, relying on its “5V” characteristics, “Volume”, “Velocity”, “Variety”, “Value” and “Veracity”, big data analysis technology is good at analyzing large-scale data and already widely used in many professional fields, including audit field. Zibo Audit Bureau has continuously explored the method of combining big data audit with traditional internal control system audit (hereinafter referred to as “Dual Combinations Method”). The internal control audit system has been applied throughout the whole process of major funds for people’s livelihood auditing including social security funds and housing provident funds etc., which has reached the full coverage supervision of the data information of capital flow, business flow and personnel flow (hereinafter referred to as “Third-Flow”). The two aims of detecting problems and plugging loopholes have been achieved. During the pension fund audit that unified organized by National Audit Office, our bureau investigated and handed over a case clue of a huge amount of social security funds misappropriation by using the dual combinations method. The court sentenced the main parties to eight years in prison, and four other people were punished by party and government discipline, which plays a role of alerting and educating for the whole society. It has attracted the great attention of the municipal government and the attention of all walks of life, and promoted the further improvement of the management system and mechanism as well. However, here come up some questions. How do auditors combine the two methods to achieve full coverage of the pension fund audit? And how to dig up clues about this problem in the vast amount of social security data?
2. Conducting Internal Control System Audit of Main Business Processes and Selecting the Right Entry Point
Social security fund is highly time-efficient and changing with policies, which attaches great importance by the government and gathers the public attentions. Therefore, it always arouses social concerns. The implementation of social security policies and the implementation of specific businesses rely on a strict internal control audit system. In the process of social security fund collection, use and management, a huge amount of third-flow data information is produced. Nevertheless, social security data management system is a complex system with all kinds of social security data in the city to implement data centralized management and network operation (Yang, Li, & Su, 2020), the government and competent departments have high requirements for internal control and data quality and safety. In recent years, with the continuous adjustment and improvement of social security policies, the data management system is constantly upgraded, and various social security data information is constantly integrated (Research Group, 2020a), a huge business data was formed, which not only increases the difficulty of audit, but also provides objective conditions and environment for carrying out internal control audit system and big data audit.
According to the above, in specific auditing work, we start from the internal control audit system to analyze and verify the “third-flow” information data. With the aim of checking the implementation of social security policies and measures, we will conduct a thorough investigation of the business control systems and internal control systems of social security agencies, evaluate the soundness and reliability of the internal control system to confirm whether social security policies and measures can be effectively implemented
2.1. Collect the Necessary Data to Verify the Business Management
To start each audit project, it is necessary to collect and study the national, individual provincial internal control systems of social security funds, and consult the business process guidelines and other documents formulated by the audited entity. During the auditing, holding discussion with business personnel, having field observation and filling in internal control questionnaire, testing and verifying whether the relevant system has been established in the internal control system of the main sections such as collection, use and management (Research Group, 2020b). Subsequently, compliance tests were carried out to verify whether the system was implemented and whether the staff of each position performed their duties according to the provisions to check if the relevant data is fully and accurately recorded in business management systems and accounting systems (Wang, 2020; Yuan, 2020).
2.2. Locate the Weak Links of Internal Control
On the basis of the basic evaluation of the internal control system, the critical control points and poorly executed control points are selected as the entry point. Then, extracting relevant internal data from business management system and accounting system. Relevant internal data were extracted, and external data such as provident fund, funeral and death, and subsistence allowance were fully used. Through comparative analysis of various internal and external data, the authenticity and comprehensive of business data and the implementation of policies are confirmed, the weak links of internal control and management are also found, and the clues of audit doubts can be accurately determined as well.
2.3. Case Study
For instance, in the audit of endowment insurance collection in a county, it was found through preliminary investigation that the endowment insurance collection business adopts the method of one vote, the main business process are divided into six steps that involves six different spots in three departments (including two front desk business positions) (Figure 1).
The first step is to business department stuffs collect social insurance charges and examines it according to relevant policies and print triple social security receipt when insured units pay social insurance fees at the reception desk. Then, insured unit staff hands in receipts, cash or transfer checks to the cashier. The second step is to give back the payment receipt with official seal to insured unit staff after the cashier checks and verifies the bill. The transfer check collected will be handed over to the bank staff assisting in the counter, and then the bank assistance staff will deposit the fund income special account. The third step is for re-check position which is responsible for financial department, belonging to backstage supporter business section, to review the transfer receipt and bank
![]()
Figure 1. Six steps for main business process of the endowment insurance collection.
deposit receipt from cashier plus other related information. By using the network integrated business management system, the funds transferred into the fund revenue account shall be confirmed and registered. The fourth step is to accounting manager imports the data of audit receipts and entry notices from business management system to accounting system, form and print accounting vouchers, register electronic account entry. The fifth step is to financial department manager supervises and inspects the responsibilities of each financial post, checks the written vouchers formed in each link of the process and the performance of responsibilities against the standardized operation of the accounting system and business system. The last step is for fund audit spot which is charged by audit department to carry out follow-up supervision and inspection of fund collection.
Based on social security management system regulation, each of the above spots should be joined up and proceed sequentially, which means the subsequent post could start their work only if the previous spots finished the required work. If there is obstruction during the working process or the specified time is exceeded, the system will send out a warning signal. In the mentioned positions, the collection post rotates regularly within the business department, and the manager takes the overall responsibility; Cashier, re-check spot, accounting manager regular rotate among the financial department personnel.
Through the investigation of the internal control system, the preliminary conclusion is drawn: Collection spot is a quite important since it not only relates to whether the calculation of collection data itself is correct, but also matters whether specific policies have been implemented in the implementation, which is the starting point of the whole business process and the basis of various data. Thus, the data in this working spot should be especially validated. And cashier, review spot, accounting manager are all taken charge by the financial department personnel. During the investigation, it is found out that there are some error-prone section such like review data expired, cashier management seal is not standardized managed issues; The audit post basically does not play a serious role in the work, the control point becomes invalid work. If comparing the entire business process as a river, “third-flow” data is like the water in the river, the audit team was not able to conduct a comprehensive inspection of all rivers, only manage the weakness section, just check the collection and re-check spots’ work. On these two “river segments”, the audit team should focus more on the collection spot to print social security receipts and the re-check spot to confirm the funds into the income account of two key sections, verify whether the funds collected in accordance with the policy are fully entered into the special account and registered in the accounting books.
3. Extracting Key Data for Repeated Comparison and Analyzing to Check Whether There Are Weak Links
3.1. Select the Correct Attack Point and Extract the Standard Data Tables
Facing the huge and complex social security data management system, to improve the efficiency of audit work, the audit team requested the social security agency to provide data in the form of standard data sheets based on the investigation of the data management system first. The audit team put forward requirements for the extraction of standard data tables for the two key control points that have been selected. Among them: at the first key control point, extract the first standard data table. The field content includes but is not limited to: the name of the insured unit, the number of the insurance, the serial number of the business manager, the manager, the social security receipt, the pension insurance amount, time of print receipt and other 7 fields; at the second key control point, extract the second standard data table, the field content includes but not limited to: the name of the insured unit, the number of the insurance, the serial number of the business manager, the confirmation time, and the confirmation responsible person and confirmed amount and other 6 fields. After the social security agency provided the above-mentioned complete standard data sheet, we firstly verified the completeness and authenticity of the provided data. In the follow-up comparison, due to errors found, the audit team required the insurance department to re-extract the standard data sheet twice. The practice proof has been verified that the data extraction, comparison, and communication with data providers are a repeated process.
3.2. Identify the Breakthrough Point and Compare the Data
The audit team used the serial number of the business management office and the insurance number of the unit as related fields by providing the two data tables extracted above, compiled an analysis program module, and compared the printing time of collection post receipt with the time for the review post to confirm the income to the special account. the payment records that have been issued and printed social security receipts but have not been confirmed to be paid into the special account, and the data table that has difference between the printing time of the receipt and the confirmation time by a certain number of days (generally, the payment should be made according to the process on the day of printing the receipt, there will not be a large time difference), are all filtered out to form the third data table. The field content of the third data sheet includes, but is not limited to: participating units, participating time, payment amount, persons who responsible for each post and other information. The audit team used the social security records involved in the third data sheet as clues to audit doubts to verify whether all funds were recorded into the account, whether they were recorded on time, and whether there was any transfer or misappropriation of funds. For the first comparison, the audit team compared the printing time of the business section receipt and the time of the review post to confirm the income by more than 7 days as a set condition, and chose more than 130,000 business records to compare. The comparison result showed: There are thousands of suspicious business records of payment which has not paid or not on time were discovered, with so many suspicious data, the verification workload is still very large, meanwhile the suspicious points may not be accurate.
For comparison results, the auditors and the information data management personnel conducted a communication and analysis, which concluded that the audit ideas should be no problem. At the same time, it is understood that if the insured unit fails to pay the fee this month, it will not be able to pay fee for next month, until this month’s fee and the fine is paid, according to the regulations. The audit team set the time difference to exceed 31 days immediately. Thus, there are a total of more than 20,000 doubts, after many trials and errors, there are still 814 doubts. The audit team firstly analyzes and categorizes these suspicious payment records according to certain conditions. After communicating with business personnel, the long-term arrears of payment is an important factor that causes a large payment time difference. The audit team retrieved the social security payment arrears unit list from the Insurance Department to analyze and compare the social security arrears table with the third data table. After verifying and confirming the reason, on the one hand, it was taken as a separate evidence for the arrears of insurance premiums, and the doubtful data was removed from the third table. After excluding the insurance premium owed by the insured unit, there are only more than 100 pieces of doubtful data. The audit team took these over 100 pieces of suspicious data as key targets, categorized them in detail and verified them on the spot. In this way, by analyzing the various elements of internal control step-by-step, the scope of doubts was gradually narrowed, and the clues of doubts were more accurate, which laid the foundation for decentralized verification and enhanced the feasibility of on-site verification.
3.3. Comprehensively Using Various Methods to Verify Suspicious Clues and Problems to Obtain Evidence
The audit team took more than 100 suspicious data clues as key targets, classified the involved collection records according to the specific circumstances. It can be divided into: business with unaccounted funds, printed receipts but no business confirmation in accounting for a long time, non-insured units with registered funds, etc., and conduct a comprehensive review of relevant files, take spot checks on the original vouchers of payment records, records of arrears, etc. Internal verification methods such as account statements, as well as external verification methods such as extended audit of relevant units and external transfer of bank accounts, comprehensively verify the situation one by one, and deal with it separately. Among them: if it is verified that there is no problem, explain the reason why the doubt is not established; if there is a problem after verification, the evidence will be obtained comprehensively from the social security agency and related insured units. Meanwhile, adopting strict confidentiality measures for key doubts, clues and problems to reduce internal and external interference, to ensure that the suspected clues are thoroughly investigated.
After verification, the social security management personnel adopted the method of not recording the payment checks received by the participating units, but directly transferring them to the relevant personal accounts, embezzled a huge amount of pension insurance funds, involving more than 4.2 million yuan in 12 units. The audit team also adopted the same audit ideas and methods, in the endowment insurance payment link of the agency, two funds that should be paid to the insured unit were found and transferred to the personal accounts of social security managers and their friends for embezzlement, that were transferred together.
4. Conclusions
In this paper, we explore the method of combining big data audit with traditional internal control system audit. The main contribution and innovation of this paper are as follows:
1) For business with large business volume and standardized management of information systems, big data thinking should be established, and the idea of combining internal control audits and big data audits should be accepted as well as the various related verification methods. This is the foundation for in-depth audit and full coverage audit of business data, which will be able to greatly improve the efficiency of audit work.
2) Certain measures must be taken to verify the authenticity and completeness of the data which were provided by the audited unit, it is a key factor whether the comparative analysis will be succeed. In the auditing links of business and financial data extraction, comparison and verification of suspicious points, trial and error should be repeatedly tested, plus, the communication and coordination with the audited unit should be strengthened, which is a key link in the clever combination of big data and internal control audit.
3) For the key doubts that exist, it is our duty to not only do internal coordination, but also pay attention to strengthening the confidentiality work, implementing it in the entire process of data extraction, comparison, verification and post-processing. During the process of screening and verifying doubts, any sure doubts clues will not be easily missed, which is an important condition for digging into the major violations of discipline and law deeply.